Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Site-to-Site VPN - ACL placement???

I have a site-to-site VPN setup between two offices site A and site B. Can someone tell me where I would place my ACL's (on site A's PIX) to restrict traffic from the site B to specific hosts/ports at site A.

TIA

6 REPLIES
Green

Re: Site-to-Site VPN - ACL placement???

What version of pix?

If you disable sysopt connection permit-ipsec you can then write the access inbound to the outside interface of pix A. If you use that command, this will filter all ipsec traffic to pix A.

Silver

Re: Site-to-Site VPN - ACL placement???

Hello,

You can bind access-list to the inside interface of PIX but remember this access-list would be inbound .

For example:

access-list 120 deny ip host 172.16.10.10 192.168.10.0 255.255.255.0

access-list 120 permit ip any any

access-group 120 in interface inside

HTH

Saju

Pls rate if it helps

Community Member

Re: Site-to-Site VPN - ACL placement???

site A has a PIX running 6.3(5)

I already have an access-list associated with my inside interface. I was thinking I could put it there, but wasn't sure.

So I could say:

object-group network DB_Servers

network-object host 2.2.2.3

network-object host 2.2.2.4

object-group service DB_Server_Ports tcp-udp

port-object eq 1521

port-object eq 3306

access-list my_acl permit ip host 1.1.1.1 object-group DB_Servers DB_Server_Ports

**Is the permit statement correct using "ip"?

Green

Re: Site-to-Site VPN - ACL placement???

Your original post sounds like you were filtering traffic originating from site B destined to site A. If this is the case, filtering traffic into the inside interface of site A won't work. You would want to put an inside acl on site B.

Silver

Re: Site-to-Site VPN - ACL placement???

I agree with Adam , try to put acl on site B instead of site A.

Community Member

Re: Site-to-Site VPN - ACL placement???

In this particular case that will work fine as I have access to both ends of the tunnel.

However, if I had no access to the other end, like if it were a contractor. How would I protect myself from something coming into my network across the tunnel from their network?

152
Views
0
Helpful
6
Replies
CreatePlease to create content